What is the purpose of these instructions?

These instructions complement and reinforce the Office of Management and Budget’s (OMB) guidance on developing the Exhibit 300, Capital Asset Plan and Business Case Summary, in support of funding for major information technology (IT) investments as contained in OMB Circular A-11, Section 300. These instructions also address questions added by the Department to the Exhibit 300 to meet Commerce IT Planning requirements including generating the Exhibit 53 IT Portfolio Report.

What is the definition of Information Technology

Information Technology as defined by the Clinger-Cohen Act of 1996 means any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. Commerce has applied this to mean that passive sensors that only acquire scientific information (such as wind speed or temperature) are not considered IT for the purposes of the OMB IT budget reporting, but when such sensors transmit the information to other locations and systems, such as transmitters on radar antennae, they are included as IT assets.

Which IT investments require an Exhibit 300?

All planned and actual IT spending, except for national security information systems, needs to be accounted for in an Exhibit 300 . . For major IT investments, complete the entire Exhibit 300, selecting Part II, Part III or Part IV depending on whether the investment is under development, in steady state or is part of the e-Gov effort. For non-major IT investments, complete the Exhibit 300 description field, as well as the summary of spending, funding sources, acquisition, performance, security, privacy, and milestones tables.

What distinguishes a Major from a Non-Major Investment?

A major investment is a system or investment that requires special management attention because it:

Was defined as a major project in the previous fiscal year

Is for financial management and obligates more than $500,000 annually

Has high development, operating, or maintenance costs

Has high executive visibility

Has significant program or policy implications

Has been determined to be major by OMB or Commerce’s Capital Planning and Investment Control process

Any investments that are not major are referred to as “non-major.”

In accordance with Department of Commerce policies and procedures an Exhibit 300 is required even for Non-major IT investments when:

IT Investment Authority approval is requested

an IT budget initiative is requested

an IT investment will be presented before the Commerce Investment Review Board (IRB), the Commerce IT Review Board (CITRB) or, for budget initiative requests, before the Departmental (staff level) IT Review Board

it will be presented before the Acquisition Review Board (ARB)

What is the purpose of the Exhibit 300?

The Exhibit 300 is a high level summary of the planning, budgeting, acquisition, and management of Federal capital assets and helps meet reporting requirements for major IT investments. In the case of IT investments that are proposed or underway, this information is used by the operating unit, the Department’s Capital Investment Technology Review Board (CITRB), and OMB to determine if investment funding should be recommended or continued. For investments that are now steady state, the Exhibit 300 is used to review the investment’s current status and, assess how well the investment is accomplishing its goals. In addition, the Exhibit 300 is required when requesting a delegation of procurement authority from the CIO through the CITRB or the Acquisition Review Board to proceed with a large contract. The data in the Exhibit 300 is also the source of the information (contracts, performance metrics and milestones) that needs to be updated monthly in the OMB IT Dashboard.

All information necessary to complete an Exhibit 300, and the supporting documentation, should already exist within project specific documentation and such information should be up-to-date and readily available upon request.

Where is Exhibit 300 information entered?

All Exhibit 300s, whether for a major or non-major investment, are entered in the on-line electronic Capital Planning and Investment Control (eCPIC) system along with key supporting information such as CITRB presentations, DPA request and approval, and acquisition strategy documents. The data in the Exhibit 300s entered in eCPIC is used to generate the Department’s Exhibit 53 IT Portfolio report. For technical guidance on using eCPIC, access the on-line user guide directly from the “Help” module within eCPIC or contact the eCPIC helpdesk at ecpichelp@doc.gov.

What is the schedule for updating and submitting an Exhibit 300?

The Exhibit 300 information in Commerce’s on-line electronic Capital Planning and Investment Control system (eCPIC) should be kept up to date. Specifically for major investments, the Exhibit 300 information on contracts, performance metrics and milestones must be updated monthly to support the requirements of the OMB IT Dashboard. The operating units (OU) are expected to review and approve the Exhibit 300 before it is submitted to the Commerce Information Technology Review Board (CITRB), Commerce Investment Review Board, Acquisition Review Board (ARB) or the Department Office of the CIO as part of the budget review process. At a minimum, all exhibit 300s are reviewed by the Department in August for submission to OMB in early September as part of the Department budget request. Following the OMB Passback in late November, updated Exhibit 300s are reviewed by the Department for submission to OMB in early January in support of the President’s Budget to Congress.

When does a publicly releasable Exhibit 300 need to be prepared?

Following the release of the Presidents Budget in early February, all major Exhibit 300s will be sent to OMB to redact and post on their public facing web site.

Is the Exhibit 300 information used in any other OMB Exhibits?

The eCPIC system extracts data from the major and non-major Exhibit 300s to produce the Department of Commerce Exhibit 53 IT Investment Portfolio report, which lists all IT funding broken out by major activity. Each OU may generate an Exhibit 53 that contains only data from the OU. Exhibit 53s for the whole Department are submitted in September and January to OMB. The information in the Exhibit 300 and Exhibit 53 is also used to verify the data in the Exhibit 52 for financial systems and the Federal Information Security Management Act (FISMA) report on security expenditures for IT systems. Exhibit 300 Enterprise Architecture and performance information must also be consistent with the Enterprise Architecture submission to OMB.

Who is responsible for developing the Exhibit 300?

Developing an investment business case and summarizing the results in an Exhibit 300 are the responsibility of the Project Manager and the operating unit CIO. Following completion of the project or its main goals, the Exhibit 300 will be the foundation for any post-implementation review.

I/OA/T are defined by OMB as “… all IT investments that support common user systems, communications, and computing infrastructure. These investments usually involve multiple mission areas and might include general LAN/WAN, desktops, data centers, cross-cutting issues such as shared IT security initiatives, and telecommunications.”

Currently, the Department produces a single Exhibit 300 covering all I/OA/T investments, though in the future operating units may produce their own infrastructure 300. This business case, which appears in Part II of the Department’s Exhibit 53, IT Portfolio Funding, consolidates all of the operating units I/OA/T investments not directly associated with a specific programmatic goal. Each operating unit must submit their information into an operating unit specific “Infrastructure” Exhibit 300 in eCPIC. From the operating unit Exhibit 300s, a single Department consolidated Exhibit 300 is created. The specific information requested is defined in the IT Infrastructure Budget Call, which is issued in early July and due to the Department in early August, the same time as all other Exhibit 300s.

I. A. Overview

Descriptive Information

What is the basis for creating a unique project ID number for an investment?

Contact eCPIC Help Desk for assistance in generating a unique project ID number for a new investment. Section 53 of OMB Circular A-11 defines the Unique Project ID (UPI) code associated with each investment as summarized below.

For the sample UID 006-00-02-13-01-3201-24

First 3 digits - Department code, “006” for Commerce

Fourth and fifth digits - Operating unit code, “00” is used to identify Department-wide investments such as Commerce Business Systems

Eighth and ninth digits – A Mission Area that is selected from an automated pick list. Some Mission Areas are defined by operating units; other mission areas such as “01” for Financial systems are Department-wide categories. Contact the eCPIC system administrator if your operating unit wants to add a mission area.

Tenth and eleventh digits – Indicates type of investment. “01” is for a major investment, a non-major is “02.” "03" represents an IT investment that is part of a larger asset with an existing business case. "04" identifies a major IT investment for which another agency has the lead management and reporting responsibility

Twelfth through fifteenth digits – A unique 4 digit project code. Each operating unit has been assigned a number range. Per the listing below “3201” identifies this as a NOAA investment.

PMA E-Gov – 0001 through 0050

Dept-wide – 0051 through 0299

OS, OGC –-- 0300 through 0599

OIG –- 0600 through 0699

ESA and BEA -- 5000 through 5499

BIS –- 5500 through 5999

Census – 4000 through 4999

EDA – 6000 through 6499

ITA --- 6500 through 6999

MBDA - 0900 through 0999

NOAA – 3000 through 3999

NIST, TA/OTP – 7000 through 7299

NTIA -- 7300 through 7499

NTIS -- 2000 through 2199

PTO – 8000 through 8999

Sixteenth and seventeenth digits – Specifies the investment category. An E-Government initiative endorsed by the President's Management Council (PMC) or an individual agency's participation in a PMC E-Government initiative is identified by a “24.” An investment or investment component that is part of the OMB High Risk list is identified with a “07”.

Can an Exhibit 300's funding be split into multiple Exhibit 53 investment or mission areas?

OMB requires that each Exhibit 300 have a unique user ID that refers to only one investment on Exhibit 53. If an investment falls into two or more mission areas, keep all the funding under the most important mission area for that investment.

When is an investment a "mixed life cycle" type, and what part of the Exhibit 300 does it complete?

If budget year funding is for two or more project stages (Planning, Acquisition, and Maintenance) or if BY funding is for operations and maintenance but planning or acquisition activity is still underway in PY or CY, then the investment is "mixed." For mixed life cycle investments fill in Part I and Part II of the Exhibit 300.

What is a steady state investment and what part of the Exhibit 300 does it complete?

Steady State is synonymous with the Operations & Maintenance stage listed in the Summary of Spending table. Steady State investment is for routine maintenance, helpdesk support, and routine technology refreshment of completed systems. Complete only Parts 1 and 3 of the Exhibit 300 for investments that are in this life cycle stage.

When is an investment considered development, modernization and enhancement (DME), not steady state?

Any significant activity required to substantially increase the investment’s capability and capacity, especially when it is needed by a specific time, qualifies as a development effort. From a project management perspective, if a proposed investment increase has risks that are distinct from the steady state effort then that new activity is in the planning or development stage.

Should the “brief summary and justification” focus on the technical solution or the investment's purpose?

The Exhibit 300 is a business case summary, not a technical solutions document. Describe what the investment is, what outcome it aims to achieve, and why that outcome is needed. The intended audience is people whose familiarity with the investment is largely limited to this description.

What is the difference between the “brief summary and justification” and the DOC Supplemental description?

The “brief summary and justification” is the only description that OMB will receive. The DOC Supplemental section allows the project manager to provide additional background information that will be seen by the Department but not by OMB. Do not repeat under DOC Supplemental information already provided under “summary and justification.”

Screening Questions

How do I answer "Did the Agency’s Investment Committee approve this request” if no review has occurred yet?

All major Department of Commerce IT investment initiatives are reviewed by the Commerce Office of the CIO when they are first proposed in the budget. A "No" answer to these and other yes/no questions may cause OMB's IT investment reviewers to recommend not funding that investment.

Does Date of Approval refer to the first approval or the most recent review date?

Enter the date when the project, as currently scoped, was first approved. Usually this will be the initial CITRB investment approval date. However, if the project was stopped, significantly redesigned, and then received approval to restart, use the later approval date.

Do the Project Manager, Contract Officer, and Project Sponsor need to be different people?

Yes; each position must be held by a different person.

Does the Project Manager need to be working full time on that investment?

Yes, the Project Manager needs to be devoted full time to each major IT investment. Having one person as project manager of more than one major IT investment is an unacceptable project risk. Good management practices, supported by OMB, state that one person cannot provide sufficient monitoring and control of multiple investments.

What is the FAC-P/PM certification?

A copy of the Federal Acquisition Certification for Program and Project Managers (FAC-P/PM) standard is available in eCPIC along with the Department’s implementation guidance. Every current Major investment project manager needs to meet senior/advanced level FAC P/PM certification or request a waiver which is good for one year.

When should I select “New Program Manager” in answer to the FAC-P/PM question?

Select the option "New Program Manager" when the individual has not been certified at the appropriate level and has been assigned to the program within the last twelve months. Unless a waiver is issued, new program/project managers have twelve months from the date of assignment to the project/program to achieve certification.

When should I select "Waiver Issued"?

There are three scenarios where "waiver issued" is an appropriate selection:

1. "Waiver Issued" is appropriate selection when the CAO, or designated functional manager such as the CIO, has waived all or part of the FAC-P/PM requirements in writing. For example, the CAO may waive the FAC-P/PM requirement for an existing program/project manager to attain certification within twelve months from the date of assignment.

2. "Waiver Issued" is also the appropriate selection if the individual is progressing towards certification but has not yet received final certification. In these cases, the designated functional manager must maintain information on the progress of the individual towards certification.

3. "Waiver Issued" may also be used if an agency has a process for issuing FAC-PPM certifications but the timing of the OMB 300 does not allow for certification prior to submission. In these cases, documentation regarding the agency process, timeline, and expected certification dates for eligible P/PMs must be kept on file for each individual.

Agencies that select "Waiver Issued" must ensure that waivers are issued only when determined to be in the best interest of the agency.

Who certifies FAC-P/PM qualifications?

FAC P/PM certification credentials are vetted by the Commerce Office of the CIO and are reviewed and issued by the Commerce Office of Acquisition Management.

IT Screening Questions

GAO issues a report called the “High Risk Series” on programs deemed at risk. OMB in the Passback issues a list of IT investments that are on a Management Watch List. From a security perspective, investments are deemed to be at low, medium or high risk due to their criticality and sensitivity of their content. OMB in the Passback memo includes a Management Watch List identifying IT investments based on the quality of their Exhibit 300 business cases.

Does the financial percentage include only the Core financial system?

Yes, OMB instructions explicitly identify the percentage as only for the core financial system.

How is the core financial systems percentage used?

The financial percentage is used to generate a core financial system cost estimate. This estimate is aggregated by operating unit and compared and reconciled against the Inventory of Financial Systems and the Exhibit 52 (Summary of Financial Systems). Coordinate with your operating unit's financial systems reporting office when calculating this percentage to ensure consistency between the Exhibit 300, Exhibit 53 and Exhibit 52.

Who is typically responsible for addressing the investment’s privacy responsibilities?

If your operating unit has a privacy officer or Privacy Impact Assessment (PIA) coordinator, list that person in the Exhibit 300. Otherwise, the project manager or preparer of the investment security certification and accreditation (C&A) is typically responsible for conducting the PIA and ensuring that the investment follows privacy requirements. Departmental privacy policy requires that non-public business information is treated the same as personal records in meeting privacy regulations.

Is there a list that identifies which investments support Homeland Security and in which categories?

Yes, all investments that support Homeland Security have been identified under specific categories in the Homeland Security database. This is a list that has been negotiated between the Department and OMB.

I. A.1 DOC Supplemental

What is the difference between the detailed description and the brief description provided under I.A. Descriptive Information?

Provide additional information to support the Commerce Capital Planning process. This information should not duplicate what was described earlier, and unlike the previous brief description, will not be submitted to OMB.

What is meant by “Assumptions”?

List what is assumed about the availability of resources and functionality specific to this project that, if not met, would result in a system change request or rebaseline request. There is no need to mention concern over not receiving full funding as you have no control over this and this ‘assumption’ is already documented in your budget summary. Feel free to provide background information here related to other sections of the business case summary that don't allow free form text; for example, assumptions behind information provided in the performance measure, alternatives analysis, or project schedule sections.

What sort of constraints should be identified?

Among cost, scope, and schedule, state which is most constrained, which moderately constrained, and which least constrained. Identify any other specific constraint(s) critical to project success such as the availability of a specific manpower skill.

What is meant by critical dependencies?

Identify the name of, and date by which, external data sources and systems must be in place, for this investment to get the data it needs to ensure that the investment’s output produces the intended outcome, i.e., what components of the Enterprise Architecture does this investment depend upon for achieving its intended objective.

I. B. Summary of Funding

In what units is funding entered in eCPIC?

All tables in eCPIC record funds in thousands of dollars. Summary of Spending (SOS) totals are automatically converted to millions of dollars upon export to the Exhibit 53.

Are all IT costs, even funds transferred from other budget accounts, included in the Summary of Spending table?

Yes, since the project manager is accountable for appropriately managing all funds received, all IT funding, regardless of their source are included in the Summary of Spending, Funding Source and Performance Milestone tables. To avoid double counting funds on the Exhibit 53, each funding source must be separately identified in the Funding Source table as described below.

What distinguishes the Planning and Acquisition Stages from the Maintenance Stage?

The Planning and Acquisition stages in the Summary of Spending table (SOS) are the same as Development/Modernization/Enhancement (DME) on the Exhibit 53, while the Operations & Maintenance stage is the same as Steady State. OMB Exhibit 53 guidance defines planning and acquisition as "changes or modifications to existing systems that improve capability or performance, [or] changes mandated by Congress or agency leadership ...” Prototype funding must be reported in the Acquisition stage. Include under the Maintenance stage funding for operating and maintaining the system at current capability and performance level. This encompasses the cost of corrective active and replacement of broken equipment. Major functional enhancements, modernization or replacement of a portion of an operational system is included under the planning and/or acquisition stages.

Why is it important to separate development from steady state?

Significant development efforts are allocated a budget to develop new features, services or capabilities by a specific time. This is distinct from the effort required to maintain ongoing operations also called “steady state”. For each significant development activity, the Exhibit 300 should have one or more performance measures, milestones, and estimated budget, as you would for any other discrete project.

On the Summary of Funding table what is the difference between budgetary resources and outlays?

Budgetary resources represent all the funds you have authority to spend, as established at the start of the fiscal year. This may include direct appropriations, transfers from other budget lines, working capital funds, reimbursable funding and revolving account funds. . Outlays, also called disbursements, represent payment of obligations. Outlay reporting is no longer included on the Summary of Spending table but is the basis for the performance milestone table reporting OMB has specified that the Summary of Funding “budgetary resources” for a completed fiscal shall not be retroactively amended to reflect actual obligations.

How can the full life cycle costs be shown if the project extends beyond the years shown?

In the last Summary of Spending column before the total, enter all other remaining costs (in later years) to complete the investment.

Does the Summary of Funding Total include FTE costs?

FTE cost is reported separately from Planning, Acquisition and Operations and Maintenance funds. A grand total of FTE and all the non-FTE funding appears in the last row of the Summary of Funding table below the FTE section. The Funding Source Table amounts however, do include both FTE and non-FTE dollars.

Should funds received from or provided to other federal agencies or transferred from other budget lines be reported?

The project manager is accountable for appropriately managing all funds received regardless of their sources. Such funding must be identified in a separate row or rows on the Funding Sources table. Generally, when entering the funding source of funds not directly appropriated for that investment, select “No in response to the question, “For OMB submission?” This appears when you choose the account code. Answering “No,” ensures that the data will not appear on the Exhibit 53, thereby avoiding double counting and funds transferred in from other sources.

Is there a way to verify that the Summary of Funding amounts equal the Funding Sources amounts?

The annual and grand total amounts for DME and Steady State on the Funding Sources table should be the same as the Summary of Funding budgetary resources total for FTE and Non FTE . A table reconciling the Summary of Spending and Funding Sources amounts appears immediately below the Funding Sources table. All the columns in the last row of the reconciliation table should equal zero. This verifies that all Summary of Funding amounts have been accounted for in the Funding Sources table.

Where does one report funds sent to another agency?

IT funding DOC sends to another agency must be reported in an Exhibit 300s funding source table as a transfer account. All IT funds transferred out must be reported the Commerce Exhibit 53. If the recipient agency is the managing partner of the investment then it, and not DOC, maintains the major Exhibit 300 business case. For the investment's unique identifier, use the 4 digit UID provided by the lead agency. Entering "04" in the 10th and 11th digits of the project's UID identifies it as funding provided to another agency.

Can multiple appropriated and non-appropriated accounts be entered in the Funding Sources table?

Yes, use the pick list in the Funding Sources table to identify each funding account’s name and number. Then enter the funding amount from each account. Separately identify each source of non-direct funding such as from another program or another department . The annual total and grand total from this table must match the budgetary resources annual and grand totals for FTE and non-FTE from the Summary of Spending table. If a funding source cannot be found on the eCPIC pick list, call the eCPIC Help Desk to add it.

Which IT investment should account for funds transferred between two Commerce investments?

Both investments are responsible for, and therefore must account for, this money. The source investment would include the transferred amount with the rest of its funding while the receiving investment would separately identify the source and define the ‘account’ as “Not” for OMB submission.

Does the total amount from the Summary of Funding table appear on the Exhibit 53?

The Exhibit 53 automatically includes all directly appropriated funds from the Funding Sources table but does not include funds identified in the Funding Sources table as reimbursable or other non-appropriated accounts. If non-appropriated funds are received, they should be included in the SOS table as well as in the other Exhibit 300 sections such as the acquisition table, the performance-milestone table, and in the EVM calculations.

Should there be a direct linkage between the Summary of Funding amounts and the performance baseline total?

Yes, the baseline total in the performance milestone tables at the end of Parts II and III must be consistent with the amounts in the Summary of Funding table.

I. C. Acquisition/Contract Strategy

Is other information needed to supplement the Exhibit 300 for an IT Investment Authority (ITIA) review?

When seeking IT Investment Authority, an Exhibit 300 is needed as well as an Acquisition Plan.

Should contract amounts be included that are more than the currently approved budget?

Include the total value of the portion of each contract supporting the investment including option years. If the contract value exceeds the approved budget profile shown in the Summary of Spending table, explain this difference in the DOC Supplementary project description.

Should contracts be listed that are used by more than one investment?

List only the task orders that apply to this investment.

In what dollar unit are the contract values?

All dollar values are in thousands.

Is the Contract information only for awarded contracts?

OMB guidance explicitly states that contracts and/or task orders planned for this investment shall be included in the contract data table. When entering planned investments, fill in the known data elements, other fields can be left blank. Data for proposed contracts cannot appear in the publicly releasable version of the Exhibit 300.

What size contracts or task orders should be included in the table?

Include all significant contracts and task orders sufficient to account for all or nearly all of the contract dollars.

Should the Contract or Task Order Number entered match the information in the Federal Procurement Database System?

The contract or task order number entered in the first column of the Contracts Table must exactly match what is in the Federal Procurement Database System (FPDS). Therefore, the contract number field must not contain any other characters, not even the contract name. OMB’s system will only identify the contract as valid if this field is an exact match with the FPDS number.

Must all contracts for DME activities include an Earned Value Management clause?

Department of Commerce policy requires that major IT investment contracts for DME activity include language mandating that the vendor provide Earned Value management (EVM) data, and that the investment have an EVM system in place.

If the contract complies with Section 508 regulations is an explanation still needed?

If the contract complies with Section 508 (accessibility) regulations, explain how. If the contract does not comply with Section 508, explain why not.

I. D. Performance Information

Why, for older investments, are there two performance tables?

The “Legacy” performance table only appears as an historical reference and cannot be edited. Enter data only in the Federal Enterprise Architecture (FEA) Performance Reference Model (PRM) table. For more information see the FEA Reference Model categories and definitions.

Can the performance measures be the same ones that appear in the Annual Performance Plan?

Use, as appropriate, performance measures that are part of the Annual Performance Plan or that can be tied to those measures.

Are measures needed during all phases of the project life cycle?

Performance measures are required for all phases of the project life cycle including planning and acquisition. During the planning and acquisition phases select performance measures and targets that certify or demonstrate the impact of completed project stages or useable end items. The performance measures provided should be consistent with the measures included in the budget submission document which, per OMB A-11 instructions, shows funding and performance measures for five years beyond the budget year.

What are the basic elements of a “Measurement Indicator”?

At a minimum, the measurement indicator should include the type of units (such as # of, % of), a clear, complete definition of what is being measured, and the periodicity of the measurement (monthly, annually…).

What is meant by baseline and should it remain constant?

A baseline is a specific quantitative or qualitative measure that existed or was established before the investment began and usually does not change over time. For example a baseline storm warning lead time of 12 minutes would be compared against the proposed performance targets for years 3, 4, and 5, to assess the net benefit from this investment.

What is an acceptable “Target”?

Must the performance targets show constant improvement?

Yes, the performance targets should show what added business value is being gained as result of the continuing investment. If the target metrics have reached a plateau, then select a new measure from that point forward that will capture the continuous improvement that is supposed to be achieved by all on-going capital investments.

Where can the linkage between the project performance measures and the high level outcome goals be described?

Strive to identify performance measures that have a clear connection ("line of sight") to each other and to your operating unit’s annual performance goals. To highlight the upper level linkage, a Strategic Goals column is included that contains the strategic objectives listed in the Commerce Strategic Plan. If the line of sight linkage would not be apparent to an outside observer, document this connection in the Description field of the Exhibit 300, in the Enterprise Architecture, and in the Strategic IT Plan.

Do performance measures need to be customer focused?

At least some of the performance measures should explicitly address who the customers are, and how the investment will benefit them. This is especially important for projects in the operations and maintenance stage where a crucial question is whether customers are receiving the benefits they expect from the system.

Should there be performance metrics for meeting IPv6 goals?

What are the acceptable Measurement Areas and Measurement Categories?

The Performance Reference Model, which is encoded in the eCPIC select boxes for the first few columns of Table 2, identifies four measurement areas and several groupings within each area that describe the attribute or characteristic measured as follows:

Mission and Business Results - Outcome measure tied to level 1 (Services for Citizens) and 3 (Management of Government Resources and Support Delivery of Services) of the FEA Business Reference Model. The measurement categories are services provided, support for services, management of resources, and financial

I. E. Security and Privacy

When are IT Security and Privacy considered in the project lifecycle?

Planning and funding for security and privacy must be done throughout the lifecycle of each investment. The investments budget must cover the cost for privacy impact assessments, quarterly and annual FISMA reporting requirements, annual security assessments, contingency plan testing, and for identifying and correcting weaknesses noted in the Plan of Action and Milestones (POA&M).

Must Steady State security requirements be met before improving the IT capital asset?

OMB Memorandum M-00-07, of February 28, 2000, directs that steady-state system operations must meet existing security requirements before new funds are spent on system development, modernization or enhancement.

How do I calculate the percent funding for IT Security?

Estimate the full cost of maintaining the IT investment's confidentiality, integrity, and availability for the budget year. This cost should include security activities such as, awareness training, intrusion detection, incident response, and security certification and accreditation if these are not otherwise reported on the Exhibit 53. Also include the estimated value of security requirements in the IT investment’s software development life cycle. Be sure to enter a non-zero value as a zero percent response will indicate that the system is not secure.

The same value, e.g., 2%, for all investments is not acceptable. Each investment must be evaluated independently. The IT security percentage reported for each investment is used to calculate the total IT security budget for each operating unit. Coordinate with your unit's IT Security Office to ensure that this calculation agrees with the IT Security funding data each operating unit transmits in its September FISMA report.

Is a special system name used for the security tables?

Create a separate record for each FISMA system inventory package that is associated with the investment. Under “Name of System” enter the FISMA system ID exactly as it appears in the FISMA report followed by the FISMA system name; for example, NOAA2400 Rockville Campus.

How important is it to complete the security systems tables?

A documented and completed C&A is required before a new system or major update to that system is allowed to be put into operation. In addition, to meet requirements, the C&A must be done at least every three years (using NIST 800-37) while the security control and contingency plan testing must be done annually.

Must all C&As be conducted using NIST SP 800-37 and 800-53A?

Yes, NIST 800-53A is now the official standard for monitoring and testing the security controls listed in NIST 800-53. These standards replace 800-26. Commerce FISMA reporting instructions have validated that all “non-national security programs and information systems must following NIST standards.”

Must the information in the IT Security Table be consistent with the data in the FISMA IT Inventory database?

Yes, the data in the IT Security Table must be consistent with the data in the FISMA Inventory which is the primary source of record. Specifically, the Accreditation date in the FISMA Inventory correlates to the Security table C&A date If one of the security tests or accreditation steps is completed after the FISMA reporting but before the submission of the Exhibit 300, then first send in the update to the FISMA database coordinator before entering the same data in eCPIC. This will ensure verifiable data consistency.

How do I know if the investment needs a Privacy Impact Assessment and what does it involve?

Answer “YES” to the PIA question only if the investment is required to submit a PIA under OMB criteria, and a PIA has been submitted.

Privacy Impact Assessments (PIA) are conducted to ensure adequate protection as required under the privacy provisions of the E-Government Act of 2002. The Office of the Chief Information Officer is responsible for developing IT privacy policy and guidance concerning when a Privacy Impact Assessment (PIA) is required. An operating unit must conduct a PIA for any Commerce IT system that collects and maintains personally identifiable information (name, address, social security number, etc.) from the public and employees, including contractors. The PIA results in a statement that identifies ways to enhance privacy protections in information systems and to ensure that they are adequate. This statement guides system owners and developers in assessing privacy through the early stages of development when requirements are being analyzed and decisions made about data use and system design. To create the PIA statement you must gather data and analyze privacy issues relating to the system and identify and resolve privacy risks. Operating units may conduct discretionary PIAs as they deem necessary for sensitive information other than personally identifiable information.

I. F. Enterprise Architecture

Should a segment architecture code be entered even if the segment is not yet approved?

A segment architecture code must be entered for every tangible investment .

What are the Segment Architecture Codes for approved segments?

If you select “Yes” for completed and approved segment, then you must enter a six digit code where the last three digits are typically 000. The codes are listed in eCPIC and available from your OU Enterprise Architect.

Does the Department review each major investment’s Enterprise Architecture?

The Commerce Enterprise Architecture Review Board is responsible for reviewing the OU’s enterprise architecture to ensure that all investments are properly and fully documented, and in compliance with the agency architecture standards and targets.

How should proposed new investments integrate with the agency business architecture?

Every new IT investment should impact the business architecture, changing it for the better. It would be difficult to defend the need for that investment if it had no such impact. Indicate what changes to organization, business processes, etc. are engendered by this initiative and what new or enhanced products and/or services it provides or facilitates.

What is the FEA Primary Mapping Information?

This information is carried forward from the Exhibit 300 data entered last year or earlier. It is up to the current project manager, in consultation with the operating unit CPIC representative, to determine if any change is needed. Enter either the code from the Federal Enterprise Architecture (FEA) Business Reference Model (BRM) or from the Service Component Reference Model (SRM). For functional applications use the BRM. For cross-cutting Service Type applications use the SRM. A full listing of the BRM and SRM codes can be found at the FEA site. The BRM Mode of Delivery lines of business are not valid as a primary FEA mapping.

How are SRM component categories identified?

To identify the proper SRM category for an investment component first use the business reference model to identify the correct investment category, then subdivide the business processes into discrete functions, and finally map each of these functions to the corresponding SRM Model grouping.

What is the purpose of the SRM Table?

As stated in the Federal Enterprise Architecture SRM Model version 1.0: “the SRM model is intended for use in discovering government-wide business and application Service Components in IT investments and assets. It is a component-based framework that provides, independent of business function, a leverageable foundation to support the reuse of applications, application capabilities, components, and business service.” From this and the list of components contained in the SRM, OMB is looking to identify components that can be reused across the Government regardless of which line of business they were originally designed for.

Should the SRM table BY Funding Percentage total 100%?

The entries in the SRM table include all SRM components in the investment including components that are shared with other projects. To the extent that not all of the budget year spending is for service components (for example FTE costs and training), the total of all the SRM spending may be less than 100% of the investment’s total BY funding.

How do you identify reuse components and calculate their BY funding percentage?

Reuse components only includes components reused from another investment. Such reuse generally incurs little or no cost to the benefiting investment, so the BY funding percentage will normally be 0%. The information provided in the SRM table must be consistent with the responses given to the “Reuse & Information Sharing” questions, i.e., include in the SRM table any reuse components referred to in the “Reuse & Information Sharing” response.

What is meant by internal versus external reuse?

Internal is within the Department of Commerce. External is when the reused component is from an agency that is outside the Department.

What is a Service Component UPI and who has this information?

All IT spending is categorized on the Exhibit 53 by “investment,” each of which has a Unique Project Identification (UPI) code. The Capital Planning and Investment Control (CPIC) lead for each operating unit has a list of that OU's IT investments and their UPI codes.

Must every SRM Component be mapped to a TRM Category?

Each SRM components must be mapped to all applicable TRM Service Area/Category and Standards to indicate the technology components that deploy each SRM component.

I. G. Alternatives Analysis

Does an alternative analysis always need to be conducted?

All new initiatives, whether they are a major part of an existing initiative or a completely new effort, need to be supported by an alternatives analysis. The alternative analysis should be based on market research and consider various approaches to meeting the identified need. The Department as well as OMB may ask for the alternative analysis plan from which the data in II.A is drawn. To allow prompt response to requests for information, attach the latest alternative analysis document to the investment’s resource library in eCPIC.

How often does the alternatives analysis need to be updated?

The alternative analysis should be updated at least every three years or whenever a major shift in system strategy is proposed.

What is included in the Risk Adjusted Life Cycle costs and benefits estimates?

The costs and benefits should cover the entire project life cycle from design, through operations and maintenance, including data migration and system disposal. Normally, the lifecycle cost is consistent with the Summary of Spending total including FTE. To allow prompt response to requests for supporting information, attach the latest independent and program office cost assessments and cost-benefit analyses to the investment’s resource library in eCPIC.

Is a cost-benefit spreadsheet template available?

Yes, a spreadsheet template is in the eCPIC Resource Library under the folder entitled Cost Benefit/EVA. Use benchmarks and market studies to identify the cost of alternatives.

Do costs and benefits need to be discounted?

Yes. The discount factors for investments of various time spans are published in OMB Circular A-94 and updated periodically.

Do legacy system migration costs need to be included in the new investment’s life-cycle cost?

Yes, the cost estimate for a new system includes the whole life cycle including migration from the legacy system and, at the end of the new system’s useful life, its disposal cost.

I. H. Risk Management

Does the Risk Management Plan need to be kept current?

Yes, the Risk Management Plan includes current risk mitigation targets and activities. The current plan reflects whether or when these milestones are achieved and what new risk measures are needed as the project reaches later stages of development. At a minimum, a formal risk management plan should be redone every three years.

Does a current Risk Management Plan need to be available upon request?

All documentation that is affirmed to be available can be requested at any time by OMB. In addition, the Department routinely requests supporting documentation in advance of a CITRB review. To allow prompt response to requests for information, attach the latest Risk Management Plan to the investment’s resource library in eCPIC.

What is included in a Risk Management Plan?

The risk management plan documents the procedures to be used to manage risk during the life of the project and the results of those procedures i.e. a risk register. It should identify and quantify project risks, prioritize risk for further analysis and action, identify the parties responsible for managing the various areas of risk, develop appropriate responses and mitigation plans for specific risks, and identify plans to monitor and control the specified risks. Since additional risks will always be identified while the project is being executed, the risk management plan must be revisited on a regular basis and kept current as new information about the project becomes available. An excellent source of information on project risk management and the risk management planning process is the Project Management Institute’s PMBOK Guide.

II. Planning, Acquisition, and Performance Information

Do systems expected to be in steady state in BY need to complete Part II?

If the investment will not achieve full steady state status until the BY, then Part II still needs to be completed in order to track the status of the ongoing DME activity.

A. Cost and Schedule Performance

What level of detail should be provided in the Cost and Schedule Performance milestones?

The milestones should correspond to the third level of the investment’s work breakdown structure and be activity oriented; for example, “complete ground sensor testing.” Wherever appropriate, break out spending by project phase (planning, development/acquisition, operations and maintenance) and by contract.

What is meant by initial and current baseline and how can they be changed?

Initial baseline is the first OMB approved project baseline and is kept unchanged to reflect the project’s history. Similarly, the investment’s current baseline for CY and earlier cannot be retroactively changed. If project assumptions significantly change, it may be appropriate to change the “Current” baseline from that date forward. Proposed changes to the baseline are entered in the baseline change request (BCR) form in eCPIC and reviewed by the operating unit and Department. Any request for a replan or rebaseline requires the operating unit CIO to approve the change and to inform and justify the change to the Department. For details on the baseline change request process see the Implementation of IT Investment Performance Management Policy and the Commerce IT Investment Performance Management Policy.

What duration should the Milestone Activities Be?

The major objective of the performance milestones is to have a timely, objective indicator of the project’s health. Milestone activities should be a year or less in duration. Short, activity oriented milestones ensure faster identification of any issues and allows for more timely intervention to help ensure that problems do not evolve into crises. .

Must the start dates and % Plan columns be completed?

To see all the cost and schedule table columns, in the upper right, above the table, under “Select View,” choose “All Fields View.” The plan and actual start dates are needed to correctly identify the length of a milestone. While some milestones may be one year in duration most activity based milestones are not totally synchronous with the fiscal year. The % plan column figure is entered whenever the actual % complete is updated. The plan % figure is particularly important when the planned spend out rate is not evenly distributed across the duration of the milestone.

What costs are included in the baseline funding?

The baseline includes all planning, development, and operations & maintenance funding in the life cycle budget regardless of source, including FTE costs. In other words, the baseline plan total normally matches the Summary of Funding and Funding Sources table totals. However, the baseline plan and actual costs represent expected and actual spending rather than budget resources available. Typically, investment spending as represented by outlay rates, lags considerably behind budgetary resource availability.

What is entered in the Actual column for the Current Baseline?

The Actual column under Total Cost represents actual costs to date. The actual column under “completion date” should only be filled in when the task is completed.

Is it bad to show a variance in the performance baseline table?

It is highly unusual for an IT investment with all its associated risks and unknowns not to have variances, positive and negative, against their baseline costs and schedule. Typically, when an investment shows little or no variances for any of its milestones it indicates that either the milestones are insufficiently detailed, the information is inaccurate or that the plan is being constantly rebaselined.

Does the Agency Head need to approve program continuation if the cost or schedule variance is 10% or greater?

The operating unit CIO and Department CIO must be notified if the negative variance is 10% or greater. In explaining cost or schedule variances, address any changes to the spend plan baseline and associate all variances with specific risks and mitigation strategies cited in the risk management section.

III. A. Cost and Schedule Performance

What is the Department guidance for conducting operational analysis?

Operational analysis is conducted periodically on an operational (also known as steady state) system. Major IT systems must report operational analysis results annually to the Department, typically in early February. An operational analysis verifies whether the investment is meeting its cost, schedule, and performance goals, as well as analyzing and identifying smarter, more cost effective methods for achieving the desired goal. For further information see the Department’s Operational Analysis and Performance Reporting guidance.

IV. Multi-Agency Collaboration Oversight

What investments need to complete this section?

Only the Managing Partner of an E-Gov, Line of Business or similar multi-agency collaboration investment fills out this section. Supporting capital asset investments that are not part of the Managing Partner’s business case should not use Part IV but rather should complete Part II or Part III as appropriate.

What if I have additional questions regarding the Exhibit 300 or eCPIC?

If you have questions regarding this advice or need related assistance on using eCPIC to complete an Exhibit 300, please contact Stuart Simon at 202-482-0275 or ssimon@doc.gov